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Abstract 


Symbolic  Model  Checking  [3,  14]  has  proven  to  be  a  powerful  technique  for  the  verification  of 
reactive  systems.  BDDs  [2]  have  traditionally  been  used  as  a  symbolic  representation  of  the  sys¬ 
tem.  In  this  paper  we  show  how  boolean  decision  procedures,  like  Stalmarck’s  Method  [16]  or  the 
Davis  &  Putnam  Procedure  [7],  can  replace  BDDs.  This  new  technique  avoids  the  space  blow  up 
of  BDDs,  generates  counterexamples  much  faster,  and  sometimes  speeds  up  the  verification.  In 
addition,  it  produces  counterexamples  of  minimal  length.  We  introduce  a  bounded  model  check¬ 
ing  procedure  for  LTL  which  reduces  model  checking  to  propositional  satisfiability.  We  show  that 
bounded  LTL  model  checking  can  be  done  without  a  tableau  construction.  We  have  implemented 
a  model  checker  BMC,  based  on  bounded  model  checking,  and  preliminary  results  are  presented. 


1  Introduction 


Model  checking  [4]  is  a  powerful  technique  for  verifying  reactive  systems.  Able  to  find 
subtle  errors  in  real  commercial  designs,  it  is  gaining  wide  industrial  acceptance.  Com¬ 
pared  to  other  formal  verification  techniques  (e.g.  theorem  proving)  model  checking  is 
largely  automatic. 

In  model  checking,  the  specification  is  expressed  in  temporal  logic  and  the  sys¬ 
tem  is  modeled  as  a  finite  state  machine.  For  realistic  designs,  the  number  of  states  of 
the  system  can  be  very  large  and  the  explicit  traversal  of  the  state  space  becomes  in¬ 
feasible.  Symbolic  model  checking  [3,  14],  with  boolean  encoding  of  the  finite  state 
machine,  can  handle  more  than  1020  states.  BDDs  [2],  a  canonical  form  for  boolean 
expressions,  have  traditionally  been  used  as  the  underlying  representation  for  symbolic 
model  checkers  [14].  Model  checkers  based  on  BDDs  are  usually  able  to  handle  sys¬ 
tems  with  hundreds  of  state  variables.  However,  for  larger  systems  the  BDDs  generated 
during  model  checking  become  too  large  for  currently  available  computers.  In  addition, 
selecting  the  right  ordering  of  BDD  variables  is  very  important.  The  generation  of  a 
variable  ordering  that  results  in  small  BDDs  is  often  time  consuming  or  needs  manual 
intervention.  For  many  examples  no  space  efficient  variable  ordering  exists. 

Propositional  decision  procedures  (SAT)  [7]  also  operate  on  boolean  expressions 
but  do  not  use  canonical  forms.  They  do  not  suffer  from  the  potential  space  explosion 
of  BDDs  and  can  handle  propositional  satisfiability  problems  with  thousands  of  vari¬ 
ables.  SAT  based  techniques  have  been  successfully  applied  in  various  domains,  such 
as  hardware  verification  [17],  modal  logics  [9],  formal  verification  of  railway  control 
systems  [1],  and  AI  planning  systems  [1 1].  A  number  of  efficient  implementations  are 
available.  Some  notable  examples  are  the  PROVE  tool  [1]  based  on  Stalmarck’s  Method 
[16],  and  SATO  [18]  based  on  the  Davis  &  Putnam  Procedure  [7]. 

In  this  paper  we  present  a  symbolic  model  checking  technique  based  on  SAT  pro¬ 
cedures.  The  basic  idea  is  to  consider  counterexamples  of  a  particular  length  k  and 
generate  a  propositional  formula  that  is  satisfiable  iff  such  a  counterexample  exists.  In 
particular,  we  introduce  the  notion  of  bounded  model  checking ,  where  the  bound  is  the 
maximal  length  of  a  counterexample.  We  show  that  bounded  model  checking  for  lin¬ 
ear  temporal  logic  (LTL)  can  be  reduced  to  propositional  satisfiability  in  polynomial 
time.  To  prove  the  correctness  and  completeness  of  our  technique,  we  establish  a  cor¬ 
respondence  between  bounded  model  checking  and  model  checking  in  general.  Unlike 
previous  approaches  to  LTL  model  checking,  our  method  does  not  require  a  tableau  or 
automaton  construction. 

The  main  advantages  of  our  technique  are  the  following.  First,  bounded  model 
checking  finds  counterexamples  very  fast.  This  is  due  to  the  depth  first  nature  of  SAT 
search  procedures.  Finding  counterexamples  is  arguably  the  most  important  feature  of 
model  checking.  Second,  it  finds  counterexamples  of  minimal  length.  This  feature  helps 
the  user  to  understand  a  counterexample  more  easily.  Third,  bounded  model  check¬ 
ing  uses  much  less  space  than  BDD  based  approaches.  Finally,  unlike  BDD  based  ap¬ 
proaches,  bounded  model  checking  does  not  need  a  manually  selected  variable  order  or 
time  consuming  dynamic  reordering.  Default  splitting  heuristics  are  usually  sufficient. 

To  evaluate  our  ideas  we  have  implemented  a  tool  BMC  based  on  bounded  model 
checking.  We  give  examples  in  which  SAT  based  model  checking  significantly  out- 


performs  BDD  based  model  checking.  In  some  cases  bounded  model  checking  detects 
errors  instantly,  while  the  BDDs  for  the  initial  state  cannot  be  built. 

The  paper  is  organized  as  follows.  In  the  following  section  we  explain  the  basic 
idea  of  bounded  model  checking  with  an  example.  In  Section  3  we  give  the  semantics 
for  bounded  model  checking.  Section  4  explains  the  translation  of  a  bounded  model 
checking  problem  into  a  propositional  satisfiability  problem.  In  Section  5  we  discuss 
bounds  on  the  length  of  counterexamples.  In  Section  6  our  experimental  results  are 
presented,  and  Section  7  describes  some  directions  for  future  research. 

2  Example 

Consider  the  following  simple  state  machine  M  that  consists  of  a  three  bit  shift  register 
x  with  the  individual  bits  denoted  by  x[0] ,  x[l] ,  and  x[2\ .  The  predicate  T(x,  x! )  denotes 
the  transition  relation  between  current  state  values  x  and  next  state  values  xl  and  is 
equivalent  to: 

(xi[0]=x[1])A(AI]=x[2])A(A2}=1) 

In  the  initial  state  the  content  of  the  register  x  can  be  arbitrary.  The  predicate  I(x)  that 
denotes  the  set  of  initial  states  is  true. 

This  shift  register  is  meant  to  be  empty  (all  bits  set  to  zero)  after  three  consecu¬ 
tive  shifts.  But  we  introduced  an  error  in  the  transition  relation  for  the  next  state  value 
of  x[2],  where  an  incorrect  value  1  is  used  instead  of  0.  Therefore,  the  property,  that 
eventually  the  register  will  be  empty  (written  as  x  =  0)  after  a  sufficiently  large  number 
of  steps  is  not  valid.  This  property  can  be  formulated  as  the  LTL  formula  F(a;  =  0). 
We  translate  the  “universal”  model  checking  problem  AF(x  =  0)  into  the  “existential” 
model  checking  problem  EG(x  ±  0)  by  negating  the  formula  Then,  we  check  if  there 
is  an  execution  sequence  that  fulfills  G(x  ^  0).  Instead  of  searching  for  an  arbitrary 
path,  we  restrict  ourselves  to  paths  that  have  at  most  k- f  1  states,  for  instance  we  choose 
k  =  2.  Call  the  first  three  states  of  this  path  xo,  x\  and  *2  and  let  xo  be  the  initial  state  (see 
Figure  1).  Since  the  initial  content  of  x  can  be  arbitrary,  we  do  not  have  any  restriction 
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Fig.  1.  Unrolling  the  transition  relation  twice  and  adding  a  back  loop. 


on  xo .  We  unroll  the  transition  relation  twice  and  derive  the  propositional  formula  fm 
defined  as  /(x^)  A  A  T(x\  ,x2).  We  expand  the  definition  of  T  and/,  and  get  the 


following  formula. 


(x\ [0]  =  jcq[1])  A  (*i[l]  =xo[2])  A  [x\[2]  =  1)  A  1st  step 
(*2[0]  =  *i[l])  A  (*2[1]  =  *i[2])  A  (x2[l}  =  1)  2ndstep 

Any  path  with  three  states  that  is  a  “witness”  for  G(x  ^  0)  must  contain  a  loop.  Thus, 
we  require  that  there  is  a  transition  from  X2  back  to  the  initial  state,  to  the  second  state, 
or  to  itself  (see  also  Figure  1).  We  represent  this  transition  as  L,  defined  as  T(x2,Xi) 
which  is  equivalent  to  the  following  formula. 

(*;[0]  =  *2[1])  A  fo[l]  =  *2[2])  A  (*,-[2]  =  1) 

Finally,  we  have  to  make  sure  that  this  path  will  fulfill  the  constraints  imposed  by  the 
formula  G(x  ^  0) .  In  this  case  the  property  Sz  defined  as  jq  ^  0  has  to  hold  at  each  state. 
Si  is  equivalent  to  the  following  formula. 

(xi[0]  =  1)  V  (x*[l]  =  1)  V  (xi[2]  =  1) 

Putting  this  all  together  we  derive  the  following  propositional  formula. 

2  2 

/m  A  A  A  Si  (1) 

1=0  i= 0 

This  formula  is  satisfiable  iff  there  is  a  counterexample  of  length  2  for  the  original 
formula  ¥(x  =  0).  In  our  example  we  find  a  satisfying  assignment  for  (1)  by  setting 
Xi[j] 1  for  all  i,  y  =  0, 1 , 2. 


3  Semantics 

ACTL*  is  defined  as  the  subset  of  formulas  of  CTL*  [8]  that  are  in  negation  normal 
form  and  contain  only  universal  path  quantifiers.  A  formula  is  in  negation  normal 
form  (NNF)  if  negations  only  occur  in  front  of  atomic  propositions.  ECTL*  is  de¬ 
fined  in  the  same  way,  but  only  existential  path  quantifiers  are  allowed.  We  consider 
the  next  time  operator  ‘X’,  the  eventuality  operator  ‘F\  the  globally  operator  ‘G\  and 
the  until  operator  ‘U\  We  assume  that  formulas  are  in  NNF.  We  can  always  transform 
a  formula  in  NNF  without  increasing  its  size  by  including  the  release  operator  ‘R’ 
(/R  g  iff  ->(-</U  ~ig)).  In  an  LTL  formula  no  path  quantifiers  (E  or  A)  are  allowed.  In 
this  paper  we  concentrate  on  LTL  model  checking.  Our  technique  can  be  extended  to 
handle  full  ACTL*  (resp.  ECTL*). 

Definition  1.  A  Kripke  structure  is  a  tuple  M  =  (5,  /,  T}£)  with  a  finite  set  of  states  S, 
the  set  of  initial  states  I  C  S,  a  transition  relation  between  states  T  C  S  x  S,  and  the 
labeling  of  the  states  £:S — )•  fP(J£)  with  atomic  propositions  A. 

We  use  Kripke  structures  as  models  in  order  to  give  the  semantics  of  the  logic.  For 
the  rest  of  the  paper  we  consider  only  Kripke  structures  for  which  we  have  a  boolean  en¬ 
coding.  We  require  that  S  =  {0, 1  }n,  and  that  each  state  can  be  represented  by  a  vector  of 


state  variables  s  =  ( j( 1) , . . . ,  s(n) )  where  s(i)  for  i  —  1 , . . . ,  n  are  propositional  variables. 
We  define  propositional  formulas  fi(s),  fr{s:  t)  and  fp(s)  as:  f/(s)  iff  s  €  I,  fr{s ,  f)  iff 
(j,  t )  £  T,  and  fp  ( s)  iff  p  £i(s).  For  the  rest  of  the  paper  we  simply  use  T(s,t)  instead 
of  fy{s ,  t)  etc.  In  addition,  we  require  that  every  state  has  a  successor  state.  That  is,  for 
all  s  £  S  there  is  a  t  £  S  with  (5,  t )  £  7\  For  (5,  f )  £  T  we  also  write  5  ->  t.  For  an  infinite 
sequence  of  states  %  =  (so^i,  ♦  ■  •)  we  define  n(i)  —  Si  and  nl  =  ($j,  J/+i, . .  .)  for  i  £  IN. 
An  infinite  sequence  of  states  7t  is  a  par/i  if  7t(i)  — »  n (i  4- 1)  for  all  i  £  IN. 

Definition  2  (Semantics).  Let  M  be  a  Kripke  structure ,  nbe  a  path  in  M  and  f  be  an 
LTL  formula.  Then  rc  f=  /  (/  is  valid  along  n)  is  defined  as  follows. 


n\=  p 

iff 

pet{n{0)) 

rc  t=  ~'P 

iff 

P  t(K(0)) 

n| =/A£ 

iff 

n\=f  and  n\=g 

®  N  f^g 

iff 

K  |=  /  or  n  |=  g 

Jt  l=G / 

iff 

V/.Jt  '>/ 

w  f=F f 

iff 

3  i.n‘\=f 

*  NX/ 

iff 

(=/ 

K\=fVg 

iff 

3/  [  Tt1 1=  g  and 

< 

A 

IT 

n\=fRg 

iff 

Vi  [  %l  |=  g  or 

3  j,j<inJ\=f] 

Definition  3  (Validity).  An  LTL  formula  f  is  universally  valid  in  a  Kripke  structure  M 
(in  symbols  M  f=  A/)  iff  n  |=  f  for  all  paths  n  in  M  with  7t(0)  £  /.  An  LTL  formula  f  is 
existentially  valid  in  a  Kripke  structure  M  (in  symbols  M  (=  E/J  iff  there  exists  a  path 
tc  in  M  with  n  |=  /  and  7t(0)  £  I. 

Determining  whether  an  LTL  formula  /  is  existentially  (resp.  universally)  valid  in  a 
given  Kripke  structure  is  called  an  existential  (resp.  universal )  model  checking  problem. 

In  conformance  to  the  semantics  of  CTL*  [8],  it  is  clear  that  an  LTL  formula  /  is 
universally  valid  in  a  Kripke  structure  M  iff  ->/  is  not  existentially  valid.  In  order  to 
solve  the  universal  model  checking  problem,  we  negate  the  formula  and  show  that  the 
existential  model  checking  problem  for  the  negated  formula  has  no  solution.  Intuitively, 
we  are  trying  to  find  a  counterexample,  and  if  we  do  not  succeed  then  the  formula 
is  universally  valid.  Therefore,  in  the  theory  part  of  the  paper  we  only  consider  the 
existential  model  checking  problem. 

The  basic  idea  of  bounded  model  checking  is  to  consider  only  a  finite  prefix  of  a  path 
that  may  be  a  solution  to  an  existential  model  checking  problem.  We  restrict  the  length 
of  the  prefix  by  a  certain  bound  k .  In  practice  we  progressively  increase  the  bound, 
looking  for  longer  and  longer  possible  counterexamples. 

A  crucial  observation  is  that,  though  the  prefix  of  a  path  is  finite,  it  still  might  repre¬ 
sent  an  infinite  path  if  there  is  a  back  loop  from  the  last  state  of  the  prefix  to  any  of  the 
previous  states  (see  Figure  2(b)).  If  there  is  no  such  back  loop  (see  Figure  2(a)),  then 
the  prefix  does  not  say  anything  about  the  infinite  behavior  of  the  path.  For  instance, 
only  a  prefix  with  a  back  loop  can  represent  a  witness  for  G p.  Even  if  p  holds  along  all 
the  states  from  so  to  sk,  but  there  is  no  back  loop  from  sk  to  a  previous  state,  then  we 
cannot  conclude  that  we  have  found  a  witness  for  Gp,  since  p  might  not  hold  at  $*+ 1. 

Definition  4.  For  l  <kwe  call  a  path  n  a  ( k ,  /)-loop  ifn(k)  — » 7t  (/)  and  n  =  uva>  with 
u  =  (jc(0),  . . .  ,lt(l-  1))  and  v  -  (tc(/),  .  ..,n(k)).  We  call  n  simply  a  fc-loop  if  there  is 
an  l  £  IN  with  l  <  kfor  which  it  is  a  (&,  l)-loop. 


Si  Sk 


(a)  no  loop 


(b)  (k,l) -loop 


Fig.  2.  The  two  cases  for  a  bounded  path. 


We  give  a  bounded  semantics  that  is  an  approximation  to  the  unbounded  semantics 
of  Definition  2.  It  allows  us  to  define  the  bounded  model  checking  problem  and  in  the 
next  section  we  will  give  a  translation  of  a  bounded  model  checking  problem  into  a 
satisfiability  problem. 

In  the  bounded  semantics  we  only  consider  a  finite  prefix  of  a  path.  In  particular, 
we  only  use  the  first  k+  1  states  (so, . .  .,$*)  of  a  path  to  determine  the  validity  of  a 
formula  along  that  path.  If  a  path  is  a  k- loop  then  we  simply  maintain  the  original  LTL 
semantics,  since  all  the  information  about  this  (infinite)  path  is  contained  in  the  prefix 
of  length  k. 

Definition  5  (Bounded  Semantics  for  a  Loop).  Let  k£  IN  and  nbea  k-loop.  Then  an 
LTL  formula  f  is  valid  along  the  path  n  with  bound  k  (in  symbols  n  \=kf)  (=  /• 

Assume  that  71  is  not  a  £-loop.  Then  the  formula  /  :=  F p  is  valid  along  n  in  the 
unbounded  semantics  if  we  can  find  an  index  i  £  IN  such  that  p  is  valid  along  the  suffix 
it1  of  7t.  In  the  bounded  semantics  the  (k+  l)-th  state  n{k)  does  not  have  a  successor. 
Therefore,  we  cannot  define  the  bounded  semantics  recursively  over  suffixes  (e.g.  7tf)  of 
n.  We  keep  the  original  n  instead  but  add  a  parameter  i  in  the  definition  of  the  bounded 
semantics  and  use  the  notation  \=[.  The  parameter  i  is  the  current  position  in  the  prefix 
of  7i.  In  Lemma  7  we  will  show  that  7 1  (=*  /  implies  7t*  (=  /. 

Definition  6  (Bounded  Semantics  without  a  Loop).  Let  k  £  IN,  and  let  n  be  a  path 
that  is  not  a  k-loop.  Then  an  LTL  formula  f  is  valid  along  n  with  bound  k  (in  symbols 
n  N  f)  iffn  |=*  /  where 


kHp 

iff 

«(<)) 

71  hi  -'P  W  p&  A*(0) 

n  HfAS 

iff 

n\=‘kf  and  n\=‘kg 

rc  \=kfv8  iff  f°rK\=kS 

"KG/ 

is  always  false 

n\=kFf  iff  3;,  i<  j  <k.n  \=Jkf 

*KX/ 

iff 

i  <  kandn  f=^+1  / 

n|=l/U* 

iff 

3 j,  i<j<k[x\={g 

and  Vn,  i  <  n  <  j.  it  \=%  f  ] 

n  \=kfRS 

iff 

3/,  i  <  j  <  k  [  %  |=j(  /  and  Vn,  i  <  n  <  j.  %  |=jj  g  ] 

Note  that  if  n  is  not  a  A;-loop,  then  we  say  that  G /  is  not  valid  along  n  in  the  bounded 
semantics  with  bound  k  since  /  might  not  hold  along  7t*+1.  Similarly,  the  case  for  /  R  g 
where  g  always  holds  and  /  is  never  fulfilled  has  to  be  excluded.  These  constraints 


imply  that  for  the  bounded  semantics  the  duality  of  G  and  F  (~»F/  =  G-i /)  and  the 
duality  of  R  and  U  (-i  (/  U  g)  =  (-»/)  R  (->g) )  no  longer  hold. 

The  existential  and  universal  bounded  model  checking  problems  are  defined  in  the 
same  manner  as  in  Definition  3.  Now  we  describe  how  the  existential  model  checking 
problem  (M  |=  E /)  can  be  reduced  to  a  bounded  existential  model  checking  problem 
(MbfcE/). 

Lemma  7.  Let  h  be  an  LTL  formula  and  n  a  path ,  then  %  (=*  h  =>  n\=h 

Proof  If  n  is  a  it-loop  then  the  conclusion  follows  by  definition.  In  the  other  case  we 
assume  that  n  is  not  a  loop.  Then  we  prove  by  induction  over  the  structure  of  /  and 
i  <  k  the  stronger  property  %  \='kh  ri  |=  h.  We  only  consider  the  most  complicated 
case h~  fRg. 

jcj^/Rg  <=>  3jr,  i<j<k[n\=Jkf  and  Vn,  i<n<j.n^g] 

=>  37,  i<j<k[ni\=f  and  Vn,  i<n<  j.nn  \=  g] 

=>  3 j,  i  <j[nj\=f  and  Vn,  i<n<  j.nn  \=g] 

Let  /  =  j  —  i  and  n'  =  n-i 

=>  3/  [  ni+j'  \=  f  and  Vn' ,  n'  <  f.  nl+n'  |=  g  ] 

=>  3 j  [  (jc'V  (=  /  and  Vn,  n  <  y.  (jc'')"  (=  g  ] 

=»  Vn  [  (it1')"  |=  g  or  3y,  j  <  n.  (n‘)i  (=  /] 

Jt‘  |=  /  R  g 

In  the  next-to-last  step  we  used  the  following  fact: 

3m  [%m  |=  /  and  V/,  l<m.v}  |=g]  =>  Vn  [tc"  |=  gor  3y,  j  <  n.  nj  [=/] 

Assume  that  m  is  the  smallest  number  such  that  nm  |=  /  and  it1 1=  g  for  all  l  with  l  <m. 
In  the  first  case  we  consider  n  >  m.  Based  on  the  assumption,  there  exists  j  <  n  such 
that  Jt-'  |=  /  (choose  j  —  m ).  The  second  case  is  n<m.  Because  nl  =  g  for  all  l  <  m  we 
have  Jt"  (=  g  for  all  n  <  m.  Thus,  for  all  n  we  have  proven  that  the  disjunction  on  the 
right  hand  side  is  fulfilled.  □ 

Lemma  8.  Let  f  be  an  LTL  formula  f  and  M  a  Kripke  structure.  IfM  \=  E /  then  there 
exists  k  £  IN  with  M  |=*  E / 

Proof  In  [3,  5, 12]  it  is  shown  that  an  existential  model  checking  problem  for  an  LTL 
formula  /  can  be  reduced  to  FairCTL  model  checking  of  the  formula  EGtrue  in  a 
certain  product  Kripke  structure.  This  Kripke  structure  is  the  product  of  the  original 
Kripke  structure  and  a  “tableau”  that  is  exponential  in  the  size  of  the  formula  /  in  the 
worst  case.  If  the  LTL  formula  /  is  existentially  valid  in  M  then  there  exists  a  path 
in  the  product  structure  that  starts  with  an  initial  state  and  ends  with  a  cycle  in  the 
strongly  connected  component  of  fair  states.  This  path  can  be  chosen  to  be  a  fc-loop 
with  k  bounded  by  |S|  •  2^1  which  is  the  size  of  the  product  structure.  If  we  project  this 
path  onto  its  first  component,  the  original  Kripke  structure,  then  we  get  a  path  Jt  that  is 
a  Moop  and  in  addition  fulfills  jt  |=  /.  By  definition  of  the  bounded  semantics  this  also 
implies  ji  |=*  /.  D 


The  main  theorem  of  this  section  states  that,  if  we  take  all  possible  bounds  into 
account,  then  the  bounded  and  unbounded  semantics  are  equivalent. 

Theorem  9.  Let  f  be  an  LTL  formula,  M  a  Kripke  structure.  Then  M  f=  E f  iff  there 
exists  k  E  IN  with  M  |=&  E /. 

4  Translation 

In  the  previous  section,  we  defined  the  semantics  for  bounded  model  checking.  We  now 
reduce  bounded  model  checking  to  propositional  satisfiability.  This  reduction  enables 
us  to  use  efficient  propositional  decision  procedures  to  perform  model  checking. 

Given  a  Kripke  structure  M ,  an  LTL  formula  /  and  a  bound  k ,  we  will  construct  a 
propositional  formula  The  variables  so,  •  •  in  [ [M,/]*  denote  a  finite  se¬ 

quence  of  states  on  a  path  n.  Each  $,■  is  a  vector  of  state  variables.  The  formula  [  M,  /]]* 
essentially  represents  constraints  on  so,  •  •  .,$*  such  that  is  satisfiable  iff  /  is 

valid  along  7t. 

The  size  of  is  polynomial  in  the  size  of  /  if  common  subformulas  are 

shared  (as  in  our  tool  BMC).  It  is  quadratic  in  k  and  linear  in  the  size  of  the  propositional 
formulas  for  T ,  /  and  the  p  E  £L.  Thus,  existential  bounded  model  checking  can  be 
reduced  in  polynomial  time  to  propositional  satisfiability. 

To  construct  I M,  /  ]]fe,  we  first  define  a  propositional  formula  [[  M  ] k  that  constrains 
so ,  .. ,  Sk  to  be  on  a  valid  path  n  in  M.  Second,  we  give  the  translation  of  an  LTL  formula 
/  to  a  propositional  formula  that  constrains  n  to  satisfy  /. 

Definition  10  (Unfolding  the  Transition  Relation).  For  a  Kripke  structure  M,  kE  IN 


k-\ 

[M]*  :=/(*)  A  f\T(si,sM) 

1=0 

Depending  on  whether  a  path  is  a  fc-loop  or  not  (see  Figure  2),  we  have  two  different 
translations  of  the  temporal  formula  /.  In  Definition  1 1  we  describe  the  translation  if 
the  path  is  not  a  loop  (“[[  J*”).  The  more  technical  translation  where  the  path  is  a  loop 
HI  *  J*”)  is  given  in  Definition  13. 

Consider  the  formula  h\—  p\J  q  and  a  path  %  that  is  not  a  &-loop  for  a  given  k  E  IN 
(see  Figure  2(a)).  Starting  at  nl  for  i  E  IN  with  i  <  k  the  formula  h  is  valid  along  with 
respect  to  the  bounded  semantics  iff  there  is  a  position  j  with  i  <j<  k  and  q  holds 
at  7t (j).  In  addition,  for  all  states  n(n)  with  n  E  IN  starting  at  n(i)  up  to  n(j  -  1)  the 
proposition  p  has  to  be  fulfilled.  Therefore  the  translation  is  simply  a  disjunction  over 
all  possible  positions  j  at  which  q  eventually  might  hold.  For  each  of  these  positions 
a  conjunction  is  added  that  ensures  that  p  holds  along  the  path  from  tc (i)  to  n(j  -  1). 
Similar  reasoning  leads  to  the  translation  of  the  other  temporal  operators. 

The  translation  “[[  •  maps  an  LTL  formula  into  a  propositional  formula.  The 
parameter  k  is  the  length  of  the  prefix  of  the  path  that  we  consider  and  i  is  the  current 
position  in  this  prefix  (see  Figure  2(a)).  When  we  recursively  process  subformulas,  i 
changes  but  k  stays  the  same.  Note  that  we  define  the  translation  of  any  formula  Gf  as 
false.  This  translation  is  consistent  with  the  bounded  semantics. 


Definition  11  (Translation  of  an  LTL  Formula  without  a  Loop).  For  an  LTL  formula 
f  and  k ,  i  E  IN,  with  i  <  k 
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Now  we  consider  the  case  where  the  path  is  a  &-loop.  The  translation  ul  [[  •  of  an 
LTL  formula  depends  on  the  current  position  i  and  on  the  length  of  the  prefix  k.  It  also 
depends  on  the  position  where  the  loop  starts  (see  Figure  2(b)).  This  position  is  denoted 
by  /  for  loop. 


Definition  12  (Successor  in  a  Loop).  Let  k,  l,  i  E  IN,  with  l,  i  <  k.  Define  the  successor 
succ(z)  ofi  in  a  (k,  l)~loop  as  succ(f)  :=  i  +  l  for  i  <  k  and  succ(/)  :=  l  fori  =  k. 

Definition  13  (Translation  of  an  LTL  Formula  for  a  Loop).  Let  f  be  an  LTL  formula, 
k ,  /,  i  E  IN,  with  /,  i  <  k. 

lip Jt  :=  p(si)  /I “'/’Hi  :=  ~1P(si)  . 

/tt/Agll  :=  ,1/llA^li  ilfVgft  :=  ilftk  V  /Esll 

tlGffk  :=  A*=n*<y)  ilfli  iWti  ■=  VfiWM  Aft 

/[x/m  :=  /i/ir(i) 

:=  V5=/(/I«K  AAi"1  |E/K)  v 

V£  (Ml  A  /\kn=i  ilffk  A  AiZ]  ;E/K) 
ilfKgti  :=  Aj-hfy)  Mi  V 

V*=/  (  /|[ /lit  A  A]n=i  /IU 1* )  V. 

V$3 ( /E/lt A  A*=,  ,I« K  a  aL  M) 

The  translation  of  the  formula  depends  on  the  shape  of  the  path  (whether  it  is  a  loop 
or  not).  We  now  define  a  loop  condition  to  distinguish  these  cases. 

Definition  14  (Loop  Condition).  For  k,  l  E  IN,  let  /L*  T ( s^si ) ,  L*  :=  V/=  o  i^k 

Definition  15  (General  Translation).  Let  f  be  an  LTL  formula,  M  a  Kripke  structure 
and  k  E  IN 

V  V  (i4A(I/1^)] 


The  left  side  of  the  disjunction  is  the  case  where  there  is  no  back  loop  and  the 
translation  without  a  loop  is  used.  On  the  right  side  all  possible  starts  /  of  a  loop  are 
tried  and  the  translation  for  a  (k,  /)- loop  is  conjuncted  with  the  corresponding  /L*  loop 
condition. 

Theorem  16.  is  satisfiable  iffM  E /. 

Corollary  17.  M  f=  A-i/  iff\  M,  f\k  is  unsatisfiablefor  all  k  E  IN. 


5  Determining  the  bound 

In  Section  3  we  have  shown  that  the  unbounded  semantics  is  equivalent  to  the  bounded 
semantics  if  we  consider  all  possible  bounds.  This  equivalence  leads  to  a  straightfor¬ 
ward  LTL  model  checking  procedure.  To  check  whether  M  |=  E /,  the  procedure  checks 
M  f=*  E/  for  k  =  0, 1 , 2, . . ..  If  M  |=*  E /,  then  the  procedure  proves  that  M\=Ef  and 
produces  a  witness  of  length  k.  If  M  E/,  we  have  to  increment  the  value  of  k  indefi¬ 
nitely,  and  the  procedure  does  not  terminate.  In  this  section  we  establish  several  bounds 
on  k.  If  M  E/  for  all  k  within  the  bound,  we  conclude  that  M  E /. 

5.1  ECTL 

ECTL  is  a  subset  of  ECTL*  where  each  temporal  operator  is  preceded  by  one  existential 
path  quantifier.  We  have  extended  bounded  model  checking  to  handle  ECTL  formulas. 
Semantics  and  translation  for  ECTL  formulas  can  be  found  in  the  full  version  of  this 
paper.  In  general,  better  bounds  can  be  derived  for  ECTL  formulas  than  for  LTL  formu¬ 
las.  The  intersection  of  the  two  sets  of  formulas  includes  many  temporal  properties  of 
practical  interest  (e.g.  EF/?  and  EG/?).  Therefore,  we  include  the  discussion  of  bounds 
for  ECTL  formulas  in  this  section. 

Theorem  18.  Given  an  ECTL  formula  f  and  a  Kripke  structure  M.  Let  \M\  be  the 
number  of  states  in  M,  then  M  |=  E f  iff  there  exists  k  <  \M\  with  M  (=*  E /. 

In  symbolic  model  checking,  the  number  of  states  in  a  Kripke  structure  is  bounded 
by  2n,  where  n  is  the  number  of  boolean  variables  to  encode  the  Kripke  structure. 
Typical  model  checking  problems  involve  Kripke  structures  with  tens  or  hundreds  of 
boolean  variables.  The  bound  given  in  Theorem  18  is  often  too  large  for  practical  prob¬ 
lems. 

Definition  19  (Diameter).  Given  a  Kripke  structure  M,  the  diameter  of  M  is  the  mini¬ 
mal  number  d  E  IN  with  the  following  property.  For  every  sequence  of  states  so , . . . ,  ^+i 
with  (si,Si+i)  E  T  for  i  <  d,  there  exists  a  sequence  of  states  to, . . . ,  ?/  where  l  <d  such 
that  to  =  so,  t(  =  sj+ 1  and  (tj,  fy+i)  E  T  for  j  <  l.  In  other  words,  if  a  state  v  is  reachable 
from  a  state  u,  then  v  is  reachable  from  u  via  a  path  of  length  d  or  less . 

Theorem  20.  Given  an  ECTL  formula  f  :=  EF p  and  a  Kripke  structure  M  with  diam¬ 
eter  d,  M  |=  EF p  iff  there  exists  k<d  withM  |=*  EF/?. 


Theorem  21.  Given  a  Kripke  structure  M,  its  diameter  d  is  the  minimal  number  that 
satisfies  the  following  formula. 

d  d- 1  d 

Vs0.  •  * 3?o,  ■  ■  -,td-  /\  T(si,Si+ 1)  -¥  (to  =  A  /\  A  \/f;  =  Jrf+l) 

t— 0  *=0  i=0 

For  a  Kripke  structure  with  explicit  state  representation,  well-known  graph  algo¬ 
rithms  can  be  used  to  determine  its  diameter.  For  a  Kripke  structure  M  with  a  boolean 
encoding,  one  may  verify  that  d  is  indeed  a  diameter  of  M  by  evaluating  a  quantified 
boolean  formula  (QBF),  shown  in  Theorem  21 .  We  conjecture  that  a  quantified  boolean 
formula  is  necessary  to  express  the  property  that  d  is  the  diameter  of  M.  Unfortunately, 
we  do  not  know  of  an  efficient  decision  procedure  for  QBF. 

Definition  22  (Recurrence  Diameter).  Given  a  Kripke  structure  M ,  its  recurrence  di¬ 
ameter  is  the  minimal  number  d  G  IN  with  the  following  property.  For  every  sequence 
of  states  s0,...,sd+i  with  (j,*,  Jf+i)  G  T  fori  <  d,  there  exists  j<d  such  that  sd+\  =  sj. 

Theorem  23.  Given  an  ECTL  formula  f  and  a  Kripke  structure  M  with  recurrence 
diameter  d,  M  \=  E /  iff  there  exists  k<d  with  M  (=*  E /. 

Theorem  24.  Given  any  Kripke  structure  M,  its  recurrence  diameter  d  is  the  minimal 
number  that  satisfies  the  following  formula 

d  d 

Vso,  •  •  Jrf+l-  Ar(*’*+l)-*  \/si=sd+l 

i=0  t=0 

The  recurrence  diameter  in  Definition  22  is  a  bound  on  k  for  bounded  model  check¬ 
ing  that  is  applicable  for  all  ECTL  formulas.  The  property  of  a  recurrence  diameter  can 
be  expressed  as  a  propositional  formula  as  shown  in  Theorem  24.  We  may  use  a  propo¬ 
sitional  decision  procedure  to  determine  whether  a  number  d  is  the  recurrence  diameter 
of  a  Kripke  structure.  The  bound  based  on  recurrence  diameter  is  not  as  tight  as  that 
based  on  the  diameter.  For  example,  in  a  fully  connected  Kripke  structure,  the  graph 
diameter  is  1  while  the  recurrence  diameter  equals  the  number  of  states. 

5.2  LTL 

LTL  model  checking  is  known  to  be  PSPACE-complete  [15].  In  section  4,  we  reduced 
bounded  LTL  model  checking  to  propositional  satisfiability  and  thus  showed  that  it  is  in 
NP.  Therefore,  a  polynomial  bound  on  k  with  respect  to  the  size  of  M  and  /  for  which 
M  (=jt  E/  <£>  M  j=  E/  is  unlikely  to  be  found.  Otherwise,  there  would  be  a  polyno¬ 
mial  reduction  of  LTL  model  checking  problems  to  propositional  satisfiability  and  thus 
PSPACE  =  NP. 

Theorem  25.  Given  an  LTL  formula  f  and  a  Kripke  structure  M,  let  \M\  be  the  number 
of  states  in  M,  then  M  |=  E/  iff  there  exists  k<\M\x  2^1  with  M  \=k  E /. 

For  the  subset  of  LTL  formulas  that  involves  only  temporal  operators  F  and  G,  LTL 
model  checking  is  NP-complete  [15].  For  this  subset  of  LTL  formulas,  it  can  be  shown 
that  there  exists  a  bound  on  k  linear  in  the  number  of  states  and  the  size  of  the  formula. 


Definition  26  (Loop  Diameter).  We  say  a  Kripke  structure  M  is  lasso  shaped  if  every 
path  p  starting  from  an  initial  state  is  of  the  form  upv^,  where  up  and  vp  are  finite 
sequences  of  length  less  or  equal  to  u  and  v,  respectively.  We  define  the  loop  diameter 
ofM  as  («,  v). 

Theorem  27.  Given  an  LTL  formula  f  and  a  lasso- shaped  Kripke  structure  M,  let  the 
loop  diameter  ofM  be  (w,  v),  then  M  |=  E  /  iff  there  exists  k  <  w  +  v  with  M  |=*  E  /. 

Theorem  27  shows  that  for  a  restricted  class  of  Kripke  structures,  small  bounds  on 
k  exist.  In  particular,  if  a  Kripke  structure  is  lasso  shaped,  k  is  bounded  by  u  +  v,  where 
(u,  v)  is  the  loop  diameter  of  Af. 


6  Experimental  Results 

We  have  implemented  a  model  checker  BMC  based  on  bounded  model  checking.  Its 
input  language  is  a  subset  of  the  SMV  language  [14].  It  outputs  a  SMV  program  or 
a  propositional  formula.  For  the  propositional  output  mode,  two  different  formats  are 
supported.  The  first  format  is  the  DIMACS  format  [10]  for  satisfiability  problems.  The 
SATO  tool  [18]  is  a  very  efficient  implementation  of  the  Davis  &  Putnam  Procedure  [7] 
and  it  uses  the  DIMACS  format.  We  also  support  the  input  format  of  the  PROVE  Tool 
[1]  which  is  based  on  Stalmarck’s  Method  [16]. 

As  benchmarks  we  chose  examples  where  BDDs  are  known  to  behave  badly.  First 
we  investigated  a  sequential  multiplier,  the  sequential  shift  and  add  multiplier  of  [6]. 
We  formulated  as  model  checking  problem  the  following  property:  when  the  sequential 
multiplier  is  finished  its  output  is  the  same  as  the  output  of  a  combinational  multiplier 
(the  C6288  circuit  from  the  ISC  AS’ 85  benchmarks)  applied  to  the  same  input  words. 
These  multipliers  are  16x16  bit  multipliers  but  we  only  allowed  16  output  bits  as  in  [6] 
together  with  an  overflow  bit.  We  proved  the  property  for  each  output  bit  individually 
and  the  results  are  shown  in  Table  1 .  For  SATO  we  conducted  two  experiments  to  study 
the  effect  of  the  ‘-g’  parameter  that  controls  the  maximal  size  of  cached  clauses.  We 
picked  a  very  small  value  (‘-g  5’)  and  a  very  large  value  (‘-g  50’).  Note  that  the  overflow 
bit  depends  on  all  the  bits  of  the  sequential  multiplier  and  occurs  in  the  specification. 
Thus,  cone  of  influence  reduction  could  not  remove  anything. 

In  the  column  SMVi  of  Table  1  the  official  version  of  the  CMU  model  checker 
SMV  was  used.  SMV2  is  a  version  by  Bwolen  Yang  from  CMU  with  improved  support 
for  conjunctive  partitioning.  We  used  a  manually  chosen  variable  ordering  where  the 
bits  of  registers  are  interleaved.  Dynamic  reordering  failed  to  find  a  considerably  better 
ordering  in  a  reasonable  amount  of  time. 

We  used  a  barrel  shifter  as  another  example.  It  rotates  the  contents  of  a  register  file 
b  with  each  step  by  one  position.  The  model  also  contains  another  register  file  r  that  is 
related  to  b  in  the  following  way.  If  a  register  in  r  and  one  in  b  have  the  same  contents 
then  their  neighbors  also  have  the  same  contents.  This  property  holds  in  the  initial  state 
of  the  model,  and  we  proved  that  it  is  valid  in  all  successor  states.  The  results  of  this 
experiment  can  be  found  in  Table  2.  The  width  of  the  registers  is  chosen  to  be  [ log2 1  r|] 
where  |r|  is  the  number  of  registers  in  the  register  file  r.  In  this  case  we  were  also  able 
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71923  | 

2202  j 
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22578  j 

1066 

Table  1. 16x16  bit  sequential  shift  and  add  multiplier  with  overflow  flag  and  16  output  bits  (sec 
=  seconds,  MB  =  Mega  Byte). 


to  prove  the  recurrence  diameter  (see  Definition  22)  to  be  \r\.  This  took  only  very  little 
time  compared  to  the  total  verification  time  and  is  shown  in  the  column  “diameter”. 

In  [13]  an  asynchronous  circuit  for  distributed  mutual  exclusion  is  described.  It  con¬ 
sists  of  n  cells  for  n  users  that  want  to  have  exclusive  access  to  a  shared  resource.  We 
proved  the  liveness  property  that  a  request  for  using  the  resource  will  eventually  be 
acknowledged.  This  liveness  property  is  only  true  if  each  asynchronous  gate  does  not 
delay  execution  indefinitely.  We  model  this  assumption  by  a  fairness  constraint  for  each 
individual  gate.  Each  cell  has  exactly  1 8  gates  and  therefore  the  model  has  n  •  1 8  fairness 
constraints  where  n  is  the  number  of  cells.  Since  we  do  not  have  a  bound  for  the  max¬ 
imal  length  of  a  counterexample  for  the  verification  of  this  circuit  we  could  not  verify 
the  liveness  property  completely.  We  only  showed  that  there  are  no  counterexamples  of 
particular  length  k .  To  illustrate  the  performance  of  bounded  model  checking  we  have 
chosen  k  —  5, 10.  The  results  can  be  found  in  Table  3. 

We  repeated  the  experiment  with  a  buggy  design.  For  the  liveness  property  we  sim¬ 
ply  removed  several  fairness  constraints.  Both  PROVE  and  SATO  generate  a  counterex¬ 
ample  (a  2-loop)  instantly  (see  Table  4). 


7  Conclusion 

This  work  is  the  first  step  in  applying  SAT  procedures  to  symbolic  model  checking. 
We  believe  that  our  technique  has  the  potential  to  handle  much  larger  designs  than 
what  is  currently  possible.  Towards  this  goal,  we  propose  several  promising  directions 


of  research.  We  would  like  to  investigate  how  to  use  domain  knowledge  to  guide  the 
search  in  SAT  procedures.  New  techniques  are  needed  to  determine  the  diameter  of  a 
system.  In  particular,  it  would  be  interesting  to  study  efficient  decision  procedures  for 
QBF.  Combining  bounded  model  checking  with  other  state  space  reduction  techniques 
presents  another  interesting  problem. 


H 

smv2 

sec  MB 

SATO  -glOO 
diameter 
sec  MB 

SATO  -g20 

sec  MB 

PROVE 
diameter 
sec  MB 

PROVE 

sec  MB 

3 

1 

49 

0 

1 

0 

0 

0 

1 

0 

1 

4 

1 

49 

0 

1 

0 

1 

0 

1 

0 

1 

5 

13 

83 

0 

2 

60 

2 

0 

1 

1 

2 

6 

509 

447 

1 

4 

364 

4 

0 

1 

2 

3 

7 

>1GB 

3 

6 

1252 

6 

0 

2 

2 

4 

8 

5 

8 

2160 

9 

0 

2 

7 

5 

9 

25 

14 

>21h 

0 

3 

16 

9 

10 

42 

19 

1 

4 

55 

11 

Table  2.  Barrel  shifter  (|r|  =  number  of  registers,  sec  =  seconds,  MB  =  Mega  Bytes). 
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SMVi 

sec  MB 

smv2 

sec  MB 

SATO 
k  =  5 
sec  MB 

PROVE 

k  =  5 
sec  MB 

SATO 
it  =10 
sec  MB 

PROVE 
k=  10 
sec  MB 

4 

846 

11 

159 

217 

0 

3 

1 

3 

3 

6 

54 

5 

5 

2166 

15 

530 

703 

0 

4 

2 

3 

9 

8 

95 

5 

6 

4857 

18 

1762 

703 

0 

4 

3 

3 

7 

9 

149 

6 

7 

9985 

24 

6563 

833 

0 

5 

4 

4 

15 

10 

224 

8 

8 

19595 

31 

>1GB 

1 

6 

6 

5 

16 

12 

323 

8 

9 

>10h 

1 

6 

9 

5 

24 

13 

444 

9 

10 

1 

7 

10 

5 

36 

15 
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10 

11 

1 

8 

13 

6 

38 

16 
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11 

12 

1 

9 

16 

6 

40 

18 

1044 

11 

13 

1 

9 

19 

8 

107 

19 

1317 

12 

14 

;  l 

10 

22 

8 

70 

21 

1634 

14 

15 

l 

11 

27 

8 

'  168 

22 

1992 

15 

Table  3.  Liveness  for  one  user  in  the  DME  (sec  =  seconds,  MB  =  Mega  Bytes). 
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sec  MB 

SMV2 
sec  MB 

SATO 
sec  MB 
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sec  MB 

4 

799 

11 

14 

44 

0 

1 

0 

2 

5 

1661 

14 

24 

57 

0 

1 

0 

2 

6 
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40 
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38 

74 
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1 

0 

2 

8 
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73 
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0 

1 

0 

2 

9 

segmentation 

172 

220 

0 

1 

1 

2 

10 

fault 

244 

702 

0 

1 

0 

3 

11 

413 

702 

0 

1 

0 

3 

12 

719 

702 

0 

2 

1 

3 

13 

843 

702 

0 

2 

1 

3 

14 

1060  702 

0 

2 

1 

3 

15 

1429  702 

0 

2 

1 

3 

Table  4.  Counterexample  for  liveness  in  a  buggy  DME  (sec  =  seconds,  MB  =  Mega  Bytes). 
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